gitops-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill instructs the execution of a remote script via pipe to shell in 'SKILL.md'.
- Evidence: 'curl -s https://fluxcd.io/install.sh | sudo bash'.
- Risk: This allows immediate arbitrary code execution from a non-whitelisted source with root privileges.
- Privilege Escalation (HIGH): Usage of 'sudo' to execute unverified remote content.
- Evidence: 'SKILL.md' line: 'curl -s https://fluxcd.io/install.sh | sudo bash'.
- External Downloads (MEDIUM): The skill applies Kubernetes manifests directly from a remote URL.
- Evidence: 'kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml'.
- Risk: While a common practice, the source is not in the trusted whitelist, and the content is executed directly by the cluster controller.
- Indirect Prompt Injection (HIGH): The skill processes content from external Git repositories to make deployment decisions.
- Ingestion points: 'repoURL' and 'path' fields in ArgoCD 'Application' and Flux 'GitRepository' resources in 'SKILL.md'.
- Boundary markers: Absent. No delimiters are used to separate user instructions from repository content.
- Capability inventory: High-privilege Kubernetes operations ('kubectl apply', 'flux bootstrap', automated reconciliation).
- Sanitization: Absent. No manifest validation or sanitization is mentioned before deployment.
Recommendations
- AI detected serious security threats
Audit Metadata